Hi John,
--On Freitag, 17. Mai 2002 07:16 -0700 John Messing
<jmessing@law-on-line.com> wrote:
> I find this thread to be very useful but it raises questions to me about
> the ultimate usefulness of xml dsig for signing objects.
>
> Because the spec is based upon signing references that are described in
> xml, even if no other xml is being signed and no other transforms may be
> necessary, the method requires cannonicalization, as Manoj's example
> demonstrates, which according to the interoperability results, degrades
> performance. (Even at the best reported result from John Boyer of .5
> second to sign, this seems acceptable only for atomic transactions and
> probably will not be acceptable for high traffic server transactions).
I guess there is a little misunderstanding: There are two scenarios which
are mixed here:
1: Your scenario (if I understood right) is to sign an arbitrary binary
file.
2: John's scenario with the 500 milli-seconds computation time refer to
signing a large XML instance with complicated transforms.
The time it takes to create (or verify) an XML signature is composed of
these:
a) the time to fetch the resource which is identified by the reference.
1: In your case, this is easy: A binary file on the hard
disk. Read access. Same time for ALL signature
applications, regardless whether you use XML Signature,
PGP or S/MIME
2: If John identifies a node set via same-document URI, this takes
longer: eventually, the XML must be parsed, and the nodes must be
selected.
b) the time to mangle the de-referenced contents through eventually
existing transforms:
1: No transform in your example, so time=zero. This is the case
also for PGP or S/MIME because they do not support the transforms
mechanism
2: Complicated transform in John's case. Time REQUIRED <= 500ms
c) the time to canonicalize the signed info:
1: THIS is where PGP or S/MIME is maybe a little bit faster, because
the digest of the signed resource is used as input for the public
key algo.
2: Time depends on how many references the SignedInfo contains, but
my guess is about 1 milli-second or so.
d) the time for the signature or MAC algo
1/2: same time as for PGP/S/MIME, because they also use RSA/DSA/ECDSA.
So you see, creating an S/MIME or PGP signature on a binary file takes the
same time as creating an XML Signature (one reference, no transforms, same
public-key-algo as the S/MIME-PGP-thing).
Regards,
Christian